[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <kyzmstq5dodvgpmd7rge3gtdikbbpauw6fide7vccgii4xtb6n@bwrwjsx4ylmx>
Date: Thu, 20 Jul 2023 11:56:23 +0200
From: Michal Koutný <mkoutny@...e.com>
To: Zheng Wang <zyytlz.wz@....com>
Cc: shaggy@...nel.org, jfs-discussion@...ts.sourceforge.net,
linux-kernel@...r.kernel.org, hackerzheng666@...il.com,
1395428693sheep@...il.com, alex000young@...il.com,
security@...nel.org
Subject: Re: [PATCH] fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to
prevent a race condition between txEnd and lmLogClose functions
Hello Zheng.
On Mon, May 15, 2023 at 05:59:56PM +0800, Zheng Wang <zyytlz.wz@....com> wrote:
> ==================================================================
> BUG: KASAN: slab-use-after-free in instrument_atomic_write include/linux/instrumented.h:87 [inline]
> BUG: KASAN: slab-use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
> BUG: KASAN: slab-use-after-free in txEnd+0x2a3/0x5a0 fs/jfs/jfs_txnmgr.c:535
> Write of size 8 at addr ffff888021bee840 by task jfsCommit/130
>
> CPU: 3 PID: 130 Comm: jfsCommit Not tainted 6.3.0-rc7-pasta #1
Is this still pertinent with the current mainline? (There were some
changes to jfs.)
> Through analysis, it was found that a race condition occurred between two
> functions lmLogClose and txEnd, which were executed in different threads.
> The possible sequence is as follows:
>
> -------------------------------------------------------------------------
> cpu1(free thread) | cpu2(use thread)
> -------------------------------------------------------------------------
> lmLogClose | txEnd
> | log = JFS_SBI(tblk->sb)->log;
> sbi->log = NULL; |
> kfree(log); [1] free log |
> | clear_bit(log_FLUSH, &log->flag); [2] UAF
That looks sane to a by-passer.
> Fix it by add a mutex lock between lmLogClose and txEnd:
It doesn't feel right wrt "lock data, not code" heuristics.
And when I apply that, it turns out there's already jfs_log_mutex.
I'd suggest you explain more why a new lock is needed (if that's the
preferred solutino).
Thanks,
Michal
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists